Morris Worm: Life After Death

14 Sep 2002
Virus News

Morris Worm: Life After Death

The "Slapper" worm successfully uses 14-year old technology Kaspersky Lab, an international data-security software-development company, warns about the detection of a new dangerous Internet-worm called "Slapper", which infects computers running Linux operating system and uses the source code spreading technology that was used in the notorious Morris Worm in 1988. Up to date, Kaspersky Lab has received no user reports that this malicious program has been detected "in-the-wild". However a detailed analysis of the worm confirms its high potential to cause a global virus outbreak and therefore poses a threat to Linux users. To find a victim, "Slapper" scans computers connected to the Internet and chooses those that are running the Linux operating system and have an Apache Web-server installed. After detecting such a computer, the worm stealthily uploads its copy by exploiting the OpenSSL security breach (buffer overflow). The main distinctive feature of "Slapper" is that the uploaded worm copy is in the source code, not in an already compiled executable package. After the uploading is competed, the worm uses the locally installed C compiler (gcc) to produce an executable copy of the worm and then launches it. Such an original method provides "Slapper" compatibility with all Linux types regardless of the distribution manufacturer and version of the kernel. This method was invented in November 1988 and was applied for the first time in notorious Morris Worm that succeeded to infect more than 6000 companies worldwide (including NASA Research Institute) resulting in $96 million loss. Until now, this method of spreading source code has never been used. "It is quite possible that "Slapper" will initiate a new wave of multi-platform malware development, which will be able to infect not only Linux, but Windows, Unix and other operating systems simultaneously. This is obvious because C compilers can be found on every commonly used platform as well as security breaches through which malware will "worm" on victim computers," said Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Lab. "The worm's other side effect will be the appearance of its numerous clones. To create a modified version, a person will only need to apply the necessary changes to the source code that will be available everywhere in the Internet. With this in mind we have already started the development of the applicable add-on to the heuristic technology integrated in Kaspersky Anti-Virus that will allow us to catch even unknown Slapper-style worms," he added. In addition, "Slapper" also poses a threat to the data confidentiality on the infected computers. The worm contains backdoor-features (unauthorized remote administration) that can allow a malicious person to perform certain unwanted actions, such as the execution of remote commands, data theft, implication in distributed DoS-attack, etc. Protection against "Slapper" already has been added to the daily update of KasperskyTM Anti-Virus. More details about the "Slapper" can be found in the Kaspersky Virus Encyclopedia.